Quote:So the box has been compromised, backdoor installed and it's been converted to a zombie. The attacker made several mistakes allowing him to be detected:

* Forgot to wipe out root's .bash_history.
* Wiped out everything under "/var/log/*", including directories which several programs relied on and thereby refusing to start. Now, why did he do that? This certainly was stupid.
* Changed the root-password. Another bummer. Never ever change the root-password. This surely will catch the attention of a sysadmin...